A recent survey of the Canadian enterprise security landscape offers good news and bad news.

The bad news is that security attacks on large Canadian organizations have grown significantly – to 82 per cent, up from 67 per cent three years ago. The good news? The ability of enterprises to understand, detect and counteract attacks is also increasing.

The cross-Canada survey of 240 organizations was conducted in 2006 by The Strategic Counsel, a Toronto-based research firm. It was sponsored by CA Canada Inc., the Toronto-based subsidiary of CA International Inc., a security management software firm headquartered in Islandia, N.Y.

Survey findings were revealed on Wednesday at a CA Identity and Access Management (IAM) symposium held in Toronto. The event was co-sponsored by Bell Security Solutions Inc. (BSSI), a network and information security provider based in Ottawa.

The survey also reported an increase in the number of internal security breaches Canadian organizations have dealt with in the past year: 30 per cent, up from less than 5 per cent three years ago.

But presenter Warren Shiau, lead analyst at The Strategic Counsel, pointed out this finding correlated with a greater ability to detect and deal with breaches, as investment in security has also increased over this period and created some resistance. To illustrate, he pointed out that although the number of attacks has grown, losses of productivity resulting from these have in fact decreased over the three-year period, down to 76 per cent from 87 per cent. Canadian companies aren’t looking for big bang solutions as there are budgetary constraintsWarren Shiau>Text

To further support that contention, Shiau noted a 28 per cent growth in the implementation of Identity and Access Management (IAM) products and services is projected over the next 12-18 months, based on roll-out plans provided by survey respondents. “But ultimate integration and functionality are not big factors in choices,” said Shiau. “Canadian companies aren’t looking for big bang solutions as there are budgetary constraints.”

The survey also provided some compelling statistics correlating under-investment in security with increased attacks: respondents who believed their security spend was too low reported a greater incidence of attacks than those who felt spend was adequate, particularly in the virus attack and internal breach categories. As in many IT spheres, Shiau noted a disconnect in executive awareness of cause and effect. “Although respondents identified public embarrassment as a key cost, this isn’t translating into executive recognition that lack of good security is a threat,” he said. Roberta Witty – an industry analyst – who spoke at the event, noted that most IAM implementations are currently driven by the plethora of regulatory and compliance requirements overwhelming large companies.

As a result, a fourth ‘A’ – audit – has now joined the previous security trinity of authentication, authorization and access control, said Roberta Witty, vice-president of the information security and privacy group at Gartner, Inc. based in Stamford, Conn.

Witty outlined Gartner’s eight-step IAM audit and compliance process, and the underlying business and technology drivers associated with the steps. She said a full implementation is lengthy, and could require up to five years, as major changes in business processes and IT infrastructure are required. But don’t try to boil the ocean, she cautioned: a phased-in approach works best.

Witty also noted that organizational and political issues could comprise up to 80 per cent of an IAM project’s efforts, and that the remaining 20 per cent devoted to technology are less problematic. For example, in role-based identity management, people’s true roles rarely map back tidily to formal descriptions in HR systems. Many employees wear many hats, she said, and people with nebulous positions such as ‘project manager’ and ‘HR specialist’ might require access rights not reflected in formal job descriptions.

Some of these issues were picked up later in a general panel discussion of IAM implementation issues. Tom Moss, vice-president of technology at BSSI, said companies should not underestimate the amount of data involved in an IAM project. In some companies, some data cleansing was required first before they could proceed, as there was no ultimate, authoritative data within their systems that accurately reflected their employees’ roles.

Rosa Caputo, managing director at KeyData Associates, a Toronto-based consultancy specializing in IT security, also echoed this concern. Companies can go beyond compliance by implementing an IT governance structure. Instead of reacting to particular regulatory requirement, companies can implement a governance infrastructure once and reap the benefits repeatedly, thus creating the conditions for sustainable compliance in the long-term.

A bit of good-natured American-Canadian banter ensued when Witty noted the threshold for a company to consider automating security and implementing massive IAM tools was about 3000 employees. But Shiau pointed out that in Canada’s business environment, the threshold was closer to 1500 employees, based on feedback provided by survey respondents deploying an IAM.